Breaking

Companies Want Lawsuit Shield to Share Cyber Threat Data

March 7 (Bloomberg) -- A month after President Barack Obama
issued an executive order on strengthening U.S. cybersecurity,
companies want Congress to provide incentives for joining the
federal push for sturdier computer defenses.

Under Obama’s Feb. 12 order, the U.S. is to develop
voluntary cybersecurity standards for critical industries and
speed up government sharing of threat information with the
private sector. Companies such as Dow Chemical Co., AT&T Inc.,
and Intel Corp. want lawmakers to give companies immunity from
lawsuits on data exchanges with other firms and the government.

“Cybersecurity is largely a voluntary effort, and the task
of the government is encouraging companies to participate,”
said Gus Coldebella, a former top lawyer at the Department of
Homeland Security and a partner in Washington at Goodwin Procter
LLP. “If you don’t have liability protection, that task is
infinitely harder.”

Companies are concerned about privacy lawsuits if they
share information on customers; negligence lawsuits for failing
to act on information they receive; and public disclosure of
information they give the government through Freedom of
Information Act requests, Coldebella said in an interview.

Companies that adopt the voluntary standards also want
protection from lawsuits if they are subject to a catastrophic
attack, he said.

Obama said the executive order, issued after Congress
failed to agree on cybersecurity legislation last year, is aimed
at shoring up computer defenses for vital sectors such as the
power grid, financial institutions and air traffic control
systems. Administration officials say there are limits to what
they can accomplish through the order and have encouraged
Congress to act.

The administration supports “targeted” liability
protections for companies that share cyber threat data and for
those that follow voluntary security standards, White House
Cybersecurity Coordinator Michael Daniel said at a Feb. 15 event
at the Center for Strategic and International Studies in
Washington.

White House spokeswoman Caitlin Hayden declined to
elaborate in an e-mail on what such targeted protections would
entail.

“There is absolutely a potential for liability protections
to be too broad, creating a moral hazard and absolving companies
of negligence,” she said.

‘Legal Certainty’

The U.S. Chamber of Commerce, the Edison Electric Institute
and 16 other business groups joined on Feb. 13, a day after
Obama’s order, in a letter supporting U.S. House legislation
giving liability protection to companies that provide
information about computer threats.

“The bill provides the needed legal certainty that threat
and vulnerability information voluntarily shared with the
government would be provided safe harbor against the risk of
frivolous lawsuits, would be exempt from public disclosure, and
could not be used by officials to regulate other activities,”
they said.

AT&T Chief Executive Officer Randall Stephenson, in a
separate letter supporting the bill, called for “adding legal
certainty to the sharing of critical cyber threat information.”

The House measure also includes an exemption from antitrust
laws for companies that exchange cyber data with other
businesses in the same industries, the groups said.

‘Massive Bailout’

In the Senate, Rockefeller “has supported certain
liability protections to promote more information sharing,”
Kevin McAlister, a Commerce Committee spokesman, said in an e-mail. Regarding critical-infrastructure companies that follow
cybersecurity standards, Rockefeller “thinks that granting
broad liability protections is committing the American taxpayer
to a potentially massive bailout for what should properly be a
corporate responsibility,” McAlister said.

Senate Republicans and the Chamber of Commerce last year
opposed an Obama-backed bill sponsored by Rockefeller and Carper
to set up voluntary cyber standards, saying they would lead to
burdensome regulation.

Obama, on the other hand, last year threatened to veto the
House bill, which was reintroduced on Feb. 13 by House
Intelligence Committee Chairman Mike Rogers, a Michigan
Republican, and the panel’s top Democrat, C.A. “Dutch”
Ruppersberger, of Maryland. Obama said the measure didn’t go far
enough to boost U.S. computer defenses or adequately protect the
privacy of consumer data.

‘Unprecedented Power’

Rogers has said he’s talking with the White House about the
legislation and expects it to pass the House in April.

The American Civil Liberties Union opposes the Rogers bill,
saying it would allow companies to share sensitive consumer
information with the government, including the National Security
Agency and military agencies.

The ACLU yesterday called on the administration to renew
its veto threat against the Rogers bill. The measure “would
give unprecedented power to companies to give Americans’ private
Internet and communication information to the government,
without a warrant, if they believe it is relevant to
cybersecurity,” the group said in a news release.